As reported by Bernard Keane in Crikey yesterday, Australia’s corporate regulator - ASIC - has admitted to another incident in which a website blocking request has lead to the inadvertent blocking of thousands of websites.

In a written statement [PDF: 474KB] provided to the Senate Economics Legislation Committee, ASIC have admitted that one previous blocking request in which they specified an IP address, rather than a domain name, resulted in some 250,000 websites being blocked.

They claim that “the vast majority (in excess of 99.6%), appear to contain no substantive content. In this instance we believe that less than 1000 active sites (less than 0.4%) may have been temporarily affected. None of these are .au sites. There are various reasons why such a large number of sites with no substantive content may use the same address, such as through a ‘domain for sale’ operation.”

Given the evident lack of even a basic understanding of the functioning of the Internet’s addressing system within ASIC, these claims are simply not credible. Has ASIC actually reviewed all 250,000 sites to determine whether they contain ‘substantive content’? How do they define ‘substantive content’? Do they believe that ‘only 1000 active sites’ is an acceptable level of collateral damage? The fact they none of them were using .au domain names does not mean that they are not sites operated by Australian entities (such as melbournefreeuniversity.org) nor does that mean that they are not sites that Australians wish to access.

While ASIC’s motives are of course laudable - to protect Australians from fraudulent investment schemes - their use of section 313 of the Telecommunications Act to block these websites is extremely problematic.

In their statement, ASIC has committed to consult with other government agencies and police “to determine how we can best disrupt websites that are part of criminal operations without impacting on legitimate sites”, and are looking at:

how to ensure only specific websites are targeted (use the domain name, not the IP address, it’s really simple!);

contacting hosting or domain name providers to have sites taken down at their source, and;

redirecting blocked sites to a landing page indicating why the site is inaccessible.

They have also committed to publicly report on their use of s313 on an annual basis.

These steps are all very necessary and have our support, but EFA believes that ASIC must cease all use of s313 to block websites until they have:

learnt how the Internet addressing system functions;

implemented, in consultation with the Department of Broadband, Communications and the Digital Economy, clearly defined processes for the use of this power, including some form of independent oversight; and,

implemented a landing page to which blocked sites can be redirected that will inform affected users trying to access a blocked website.

EFA believes that the use of s313 to block websites should be subject to judicial oversight, through a requirement for a warrant to be issued for each request.

EFA has been a leading voice against internet filtering in Australia, through our Open Internet campaign. You can support our work in fighting for digital freedom, access and privacy in Australia by joining or donating today.

11 comments

Off to one side of the technical debate about ASICs use of S313 rulings/requests for assistance is the ongoing lack of accountability and judicial oversight which goes hand in hand with not being required to present warrants for site take-downs to service providers. Most section 313 orders, for example as requested by the Australian Federal police, require a warrant to be issued to provide judicial oversight.

Does ASIC believe that they are above the law, and therefore do not need to apply the warrants which would require them to justify their action. With any sort of luck, a requirement to request a warrant would also have the person signing the warrant asking about collateral damage, and expecting to get an honest answer, because anything less than complete honesty in an application for a warrant is a crime.

As a rule, Australians don't care who infringes on their personal rights, but if it is made particularly clear to them that this organisation, which has been proven incompetent in court time after time, should not be in a position to be able to ride roughshod over the responsibilities which they shoulder as our corporate regulator.

Perhaps the time is here, for ASIC to be made answerable to another organisation further up the food chain which has the capacity to prevent them looking stupid every time they attempt to "protect" us.

Comment by Daemon Singer on 5 June 2013 at 09:41

If they had a warrant or Court Order they wouldn´t need a S313 request. The whole point to S313 is to bypass the Courts, adding to a bad Law is still going to give you a bad Law.Repeal S313 and get us a Bill of Rights, including a Right to Free Speech. Politicians are again pushing for a Republic, if they are altering the Constitution for a Republic they can alter it for a Bill Of Rights.

Comment by Womp on 5 June 2013 at 10:11

This article shows a lack of understanding of how DNS works on the part of EFA far more than ASIC.

ISPs do not necessarily control DNS, end users are free to use DNS services outside of the control of the ISP (Google, OpenDNS, etc). Therefore blocking by DNS name would be almost completely pointless.

Given the number of people falling for online scams I see no problem with blocking IPs of hosting providers who do not respond to requests from law enforcement to take down fraudulent sites. If the owner of the IP was notified that their IP is now blocked from Australia they could take action (if they are a credible host) to remove the site and be unblocked.

Given the low cost of hosting within Australia I don't see why credible Australian sites can't just get local hosting and therefore be safe from such blocks.

There is certainly a point to be made regarding collateral damage from IP blocks but EFA doesn't help the situation by posting very misleading information, please stick to the facts (and correct this article).

Comment by Joseph on 5 June 2013 at 10:21

>ISPs do not necessarily control DNS, end users are free to use DNS services outside of the control of the ISP (Google, OpenDNS, etc). Therefore blocking by DNS name would be almost completely pointless.

True, but the overwhelming majority of users take their DNS service from their ISP, so domain name blocking would in fact prevent access to these sites for this majority of users.

>Given the low cost of hosting within Australia I don't see why credible Australian sites can't just get local hosting and therefore be safe from such blocks.

The physical location of the host has no bearing on whether a domain name or IP address block implemented by a user's ISP will prevent access to a site.

Comment by jlawrence on 5 June 2013 at 10:28

>The physical location of the host has no bearing on whether a domain name or IP address block implemented by a user's ISP will prevent access to a site.

Apologies I should have been clearer.

I was referring to the fact that within Australia other legal avenues can be used to target the hosting provider directly and get them to take down the site and if required reveal the identity of the entities involved in hosting the illegal/fraudulent material instead of blocking. These avenues are not available for use overseas as hosting providers in other countries are not bound by Australian law.

I feel S313 should not be applicable to locally hosted content as entities providing connectivity would have to comply with Australian law and take down the offending content. Do you know if MFU was hosted within Australia during the blocking (I note it is now).

I feel ASIC knows the difference between DNS and IP blocks and chooses to use IP blocks to increase effectiveness.

Comment by Joseph on 5 June 2013 at 10:46

Thanks for clarifying.

It's true that local hosts are much more likely to cooperate with ASIC (or other government agencies) in taking down sites that involve illegal activity. That doesn't mean that some international hosts won't also cooperate, and in their recent evidence to Senate Estimates, the Federal Police said that they find this approach more effective in many cases (even with international hosts) than trying to block sites.

I'd agree that s313 should not apply to locally hosted content. MFU's website was previously hosted in the US.

I don't think ASIC does understand the difference. In their statement they say that they are looking into 'how to ensure only specific websites are targeted'.

Last week, AFP's deputy commissioner Michael Phelan said that the AFP has used the Act to block malware and phishing attempts since 2004, but found that it was not a very effective way to deal with the problem.

"Over time, it's much more useful and far more valuable to actually get in contact with those that are hosting the material, and so on, and block it at the source, and get them to just tear down the sites, and so on, off-shore," Phelan said last week.

Comment by jlawrence on 5 June 2013 at 10:55

>I don't think ASIC does understand the difference. In their statement they say that they are looking into 'how to ensure only specific websites are targeted'.

That's probably more of a 'we got busted being lazy and doing things the easy way' statement rather than evidence they don't understand how the blocks work. DNS blocking would mean approaching each ISP individually and even then it won't stop people using other DNS services (which whilst a smaller number I'd argue there are still non-technical people who use this method).

By approaching those who do most of the international traffic ASIC (and others) are capable of ensuring the majority of the country cannot access an IP (without specifically tunnelling to another country).

I certainly agree oversight is needed here, but I think S313 IP blocks should be able to be used to block uncooperative network/hosting providers in hostile countries (which considering the host was US based I'm not sure this was the case here).

Comment by Joseph on 5 June 2013 at 11:14

These blocks (regardless of whether they're using an IP or a domain name) require an approach to individual ISPs. ASIC confirmed in their evidence (see the video) that they have focused on the major ISPs that control the international gateways.

There's no question that these blocks, however implemented, will never affect all users in Australia and are trivial to circumvent, but they do prevent access for a very large percentage of users (likely >90%).

Comment by jlawrence on 5 June 2013 at 11:24

>end users are free to use DNS services outside of the control of the ISP (Google, OpenDNS, etc).
The same argument could be said about a proxy, vpn or TOR; blocking an IP address like we saw did not prevent me from accessing it via a simple web proxy.

>Given the number of people falling for online scams
I strongly encourage ASIC to cease and desist all web filtering and instead provide a public domain feed of verified scam sites.
ASIC needs to release details of all sites blocked so the public can vet its incompetence.

I would use this feed for my family but not use it myself, it's a preference in addition my research overlaps these types of sites.

I don't have figures but as a thought: those falling for scams would likely not select DNS servers of their own choosing but rather let the ISP hand it to them.

Access to a scam website does not constitute an offence, if you wish for ASIC to filter your home connection that is your prerogative.

>Given the low cost of hosting within Australia I don't see why credible Australian sites can't just get local hosting and therefore be safe from such blocks.

Australian hosting costs a lot more than our overseas counterparts. CloudFront charges $0.120/gb for North America and Europe but $0.190 for it's Australian PoP in Sydney, for an example.

Amazon EC2 charges:

US East:
Small (Default) $0.060 per Hour
Medium $0.120 per Hour
Large $0.240 per Hour
Extra Large $0.480 per Hour

Sydney:
Small (Default) $0.080 per Hour
Medium $0.160 per Hour
Large $0.320 per Hour
Extra Large $0.640 per Hour

Comment by Steven Roddis on 5 June 2013 at 17:00

Given the number of people falling for online scams I see no problem with blocking IPs of hosting providers who do not respond to requests from law enforcement to take down fraudulent sites.

This shows a staggering and scary tolerance for government silencing of vast amounts of unrelated, non-infringing content simply in the name of stomping on a single small scale infringement.

We're treading on Blackstone ratio territory here - how much "innocent free speech" (or whatever you want to call it) should be shut down to punish one guilty party?

Given the low cost of hosting within Australia I don't see why credible Australian sites can't just get local hosting and therefore be safe from such blocks.

This is a strawman - but in any case the "low cost" of hosting only holds true on a small scale - after a certain point (mostly dependent on bandwidth usage) the costs skyrocket. I work for a company that does commercial online service hosting and routinely advise people to host in the USA or EU if they have significant bandwidth requirements.

In any case, I would love to see some supporting evidence from ASIC that gives some sense of scale to the problem. For example, how does the impact of these "illegal websites" compare against, say, the impact of scam/phishing emails?